Last modified: 2007-07-11 17:31:10 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T12533, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 10533 - Title::userCan cannot be used for the read permission, read checks must be built into queries
Title::userCan cannot be used for the read permission, read checks must be bu...
Status: RESOLVED INVALID
Product: MediaWiki
Classification: Unclassified
General/Unknown (Other open bugs)
unspecified
All All
: Normal enhancement (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-07-11 02:48 UTC by Aryeh Gregor (not reading bugmail, please e-mail directly)
Modified: 2007-07-11 17:31 UTC (History)
1 user (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description Aryeh Gregor (not reading bugmail, please e-mail directly) 2007-07-11 02:48:31 UTC
It is impossible to implement read permissions acceptably if arbitrary PHP logic can determine whether the user can read the result.  To quote Yurik, who's currently trying to deal with this for the API, "when getting 5000 articles, and only after everything is queried to discover that the user has no right to see it is horrible".  In particular, it's impossible to implement any kind of paging reasonably if you can't work the readability conditions into the query, since then you have to make an arbitrary number of additional queries to fill out the page.  In the worst case, there may be a huge number of pages of which only a couple (if any) are readable, requiring the entire table to be queried piecewise.

Therefore we need to not call Title::userCan for read, and instead allow only read restrictions that can be used in database queries.  In particular, we currently have only a read whitelist.  We should add to this per-namespace read restrictions, like $wgNsGroupPermissions[ns][group][right].  Those should suffice for almost all purposes.  It might be worth considering allowing use of the protection function for read as well as edit and move, but this isn't really particularly necessary: even packages that allow heavy lockdown (e.g., forum software) don't bother with that that I've heard of.  They expect you to either delete it or move it to a hidden forum (namespace).

We *do* need to incorporate all these protections into the core software, because otherwise we'd have to provide fragile hooks for modifying every single read query.  Read permissions could, if there are still objections to working with them, be treated like PostgreSQL: let the people maintaining them maintain them, and don't expect anyone else to do more than maybe make a note when they add something that ignores them.  Or if there are *really* still philosophical objections from Brion to having this kind of thing in core, we should just implement this anyway sans the ability to use unreadable namespaces, and make it clear that the read permission does not and cannot ever affect the ability to view lists of titles.  But I think that's excessive given the general utility to all sorts of third parties of hiding namespaces.
Comment 1 Yuri Astrakhan 2007-07-11 03:41:37 UTC
I think some sites may want to have "per user read permissions" instead of using the built-in groups. This is totally OK if the site supplies a list of accessible namespaces for the given user:

wfGetUserNsReadRights() would return a whitelist of allowed namespaces:
 [0,1,6,7] or [] (no NS are readable)

The default implementation would return the list of all namespaces available to the current user, and a hook would be able to override that list.
Comment 2 Brion Vibber 2007-07-11 14:56:55 UTC
Paging would be based on presence of entries, not on readability of their contents.
Comment 3 Aryeh Gregor (not reading bugmail, please e-mail directly) 2007-07-11 17:31:10 UTC
Okay, I'll take that as "make it clear that the read permission does not and cannot ever affect the ability to view lists of titles".

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links